ebpfkit-monitor is a tool that detects and protects against eBPF powered rootkits

Overview

ebpfkit-monitor

License: GPL v2 License

ebpfkit-monitor is an utility that you can use to statically analyse eBPF bytecode or monitor suspicious eBPF activity at runtime. It was specifically designed to detect ebpfkit.

Disclaimer

This project is not an official Datadog product (experimental or otherwise), it is just code that happens to be developed by Datadog employees as part of an independent security research project. The rootkit herein is provided for educational purposes only and for those who are willing and curious to learn about ethical hacking, security and penetration testing with eBPF.

Do not attempt to use these tools to violate the law. The author is not responsible for any illegal action. Misuse of the provided information can result in criminal charges.

System requirements

  • golang 1.13+
  • This project was developed on an Ubuntu Focal machine (Linux Kernel 5.4)
  • Kernel headers are expected to be installed in lib/modules/$(uname -r) (see Makefile)
  • clang & llvm (11.0.1)
  • Graphviz (to generate graphs)
  • go-bindata (go get -u github.com/shuLhan/go-bindata/...)

Build

  1. To build ebpfkit-monitor, run:
# ~ make
  1. To install ebpfkit-monitor (copies ebpfkit-monitor to /usr/bin/ebpfkit-monitor) run:
# ~ make install

Getting started

Run ebpfkit-monitor -h to get help.

# ~ ebpfkit-monitor -h
Usage:
  ebpfkit-monitor [command]

Available Commands:
  graph       graph generates a graphviz representation of the ELF file
  help        Help about any command
  map         prints information about one or multiple maps
  prog        prints information about one or multiple programs
  report      prints summarized information about the maps and programs
  start       start monitoring the bpf syscall at runtime

Flags:
  -h, --help               help for ebpfkit-monitor
  -l, --log-level string   log level (options: panic, fatal, error, warn, info, debug or trace). Set to "debug" to see bpf events. (default "info")

Use "ebpfkit-monitor [command] --help" for more information about a command.

Examples

List all the program sections provided in the ELF file

# ~ ebpfkit-monitor prog --asset my_elf_file.o

Dump the bytecode of a program

# ~ ebpfkit-monitor prog --asset my_elf_file.o --section kprobe/my_program --dump

List all the programs that use the bpf_probe_write_user eBPF helper

# ~ ebpfkit-monitor prog --asset my_elf_file.o --helper BpfProbeWriteUser

List all the programs that interact with the "piped_progs" eBPF map

# ~ ebpfkit-monitor prog --asset my_elf_file.o --map piped_progs

List all the maps declared in the ELF file

# ~ ebpfkit-monitor map --asset my_elf_file.o

Monitor the bpf syscall and print events to the screen

# ~ sudo ebpfkit-monitor start --log-level debug

Monitor the bpf syscall and write the captured events in a file

# ~ sudo ebpfkit-monitor start --output /tmp

Monitor the bpf syscall, write the captured events in a file and ensure that only "bpftool" is allowed to use the "bpf" syscall

# ~ sudo ebpfkit-monitor start --output /tmp --allowed-processes "/usr/sbin/bpftool"

Generate a graph from the provided ELF file

# ~ ebpfkit-monitor graph -a my_elf_file.o
INFO[2021-08-03T13:19:12Z] Graph generated: /tmp/ebpfkit-monitor-graph-4104912074
# ~ fdp -Tsvg /tmp/ebpfkit-monitor-graph-4104912074 > ./graphs/output.svg

output.svg

Future work

  • Move the project to BTF & CO-RE
  • Use lsm eBPF programs instead of bpf_override_return for access control

License

  • The golang code is under Apache 2.0 License.
  • The eBPF programs are under the GPL v2 License.
Issues
  • eBPF need licese ?failed to start.

    eBPF need licese ?failed to start.

    sudo ebpfkit-monitor start FATAL[2022-06-05T12:23:40Z] failed to start ebpfkit-monitor: failed to setup eBPF manager: failed to init eBPF manager: load license: missing license section I use strace to trace the syscall and info,but it did not get the license alert before.I've search the google and find nothing about it.

    4351 execve("/usr/bin/ebpfkit-monitor", ["ebpfkit-monitor", "start"], 0x7fffb3caa7a0 /* 24 vars /) = 0 4351 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) 4351 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 4351 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=23241, ...}, AT_EMPTY_PATH) = 0 4351 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 4351 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=2216304, ...}, AT_EMPTY_PATH) = 0 4351 openat(AT_FDCWD, "/sys/kernel/mm/transparent_hugepage/hpage_pmd_size", O_RDONLY) = 3 4351 openat(AT_FDCWD, "/proc/stat", O_RDONLY|O_CLOEXEC) = 3 4351 newfstatat(AT_FDCWD, "/usr/bin/getconf", {st_mode=S_IFREG|0755, st_size=35112, ...}, 0) = 0 4351 openat(AT_FDCWD, "/dev/null", O_RDONLY|O_CLOEXEC) = 3 4358 execve("/usr/bin/getconf", ["/usr/bin/getconf", "CLK_TCK"], 0xc00009cf70 / 24 vars */) = 0 4358 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) 4358 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 4358 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=23241, ...}, AT_EMPTY_PATH) = 0 4358 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 4358 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=2216304, ...}, AT_EMPTY_PATH) = 0 4358 openat(AT_FDCWD, "/usr/lib/locale/C.utf8/LC_CTYPE", O_RDONLY|O_CLOEXEC) = 3 4358 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=353616, ...}, AT_EMPTY_PATH) = 0 4358 openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache", O_RDONLY) = 3 4358 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=27002, ...}, AT_EMPTY_PATH) = 0 4358 openat(AT_FDCWD, "/usr/lib/locale/C.utf8/LC_MESSAGES", O_RDONLY|O_CLOEXEC) = 3 4358 newfstatat(3, "", {st_mode=S_IFDIR|0755, st_size=4096, ...}, AT_EMPTY_PATH) = 0 4358 openat(AT_FDCWD, "/usr/lib/locale/C.utf8/LC_MESSAGES/SYS_LC_MESSAGES", O_RDONLY|O_CLOEXEC) = 3 4358 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=48, ...}, AT_EMPTY_PATH) = 0 4358 newfstatat(1, "", {st_mode=S_IFIFO|0600, st_size=0, ...}, AT_EMPTY_PATH) = 0 4358 +++ exited with 0 +++ 4353 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4358, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- 4351 newfstatat(AT_FDCWD, ".", {st_mode=S_IFDIR|0700, st_size=4096, ...}, 0) = 0 4351 newfstatat(AT_FDCWD, "/root", {st_mode=S_IFDIR|0700, st_size=4096, ...}, 0) = 0 4351 openat(AT_FDCWD, "/proc/net/psched", O_RDONLY|O_CLOEXEC) = 3 4351 openat(AT_FDCWD, "/proc/stat", O_RDONLY|O_CLOEXEC) = 3 4351 readlinkat(AT_FDCWD, "/proc/self/exe", "/usr/bin/ebpfkit-monitor", 128) = 24 4351 openat(AT_FDCWD, "/etc/os-release", O_RDONLY|O_CLOEXEC) = 3 4351 openat(AT_FDCWD, "/proc/kallsyms", O_RDONLY|O_CLOEXEC) = 3 4351 --- SIGURG {si_signo=SIGURG, si_code=SI_TKILL, si_pid=4351, si_uid=0} --- 4351 openat(AT_FDCWD, "/etc/localtime", O_RDONLY) = 3 4357 +++ exited with 1 +++

    opened by pythonmandev 13
  • Question about the error when running make command

    Question about the error when running make command

    Hi, I encountered this error when I am running the make command image I'm suspecting its because kconfig.h does not exist at /lib/modules like what was stated in the system requirements image But, I'm not really sure how I can resolve this issue as I'm a new Linux user, I've checked that the linux-headers is installed and the kconfig.h exists at /usr/src/linux-headers-4.19.0-20-common/include/linux. Anyone has any idea how I can resolve this issue? Thanks in advance.

    opened by flairekq 7
Owner
Guillaume Fournier
Guillaume Fournier
pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities.

pwru (packet, where are you?) pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities. It allo

Cilium 788 Jun 28, 2022
Run WPS PIN attacks (Pixie Dust, online bruteforce, PIN prediction) without monitor mode with the wpa_supplicant

Overview OneShot-C - implementation of OneShot on C OneShot-С performs Pixie Dust attack without having to switch to monitor mode. Features Pixie Dust

null 11 Apr 15, 2022
libsinsp, libscap, the kernel module driver, and the eBPF driver sources

falcosecurity/libs As per the OSS Libraries Contribution Plan, this repository has been chosen to be the new home for libsinsp, libscap, the kernel mo

Falco 97 Jun 22, 2022
Linux Application Level Firewall based on eBPF and NFQUEUE.

eBPFSnitch eBPFSnitch is a Linux Application Level Firewall based on eBPF and NFQUEUE. It is inspired by OpenSnitch, and Douane, but utilizing modern

Harpo Roeder 641 Jun 17, 2022
eBPF bytecode assembler and compiler

An eBPF bytecode assembler and compiler that * Assembles the bytecode to object code. * Compiles the bytecode to C macro preprocessors. Symbolic

Emil Masoumi 6 Jan 23, 2022
A Rust crate that simplifies the integration of Rust and eBPF programs written in C.

This crate simplifies the compilation of eBPF programs written in C integrating clang with Rust and the cargo build system with functions that can be

Simone Margaritelli 19 Mar 16, 2022
bpflock - eBPF driven security for locking and auditing Linux machines

bpflock - Lock Linux machines bpflock - eBPF driven security for locking and auditing Linux machines. This is a Work In Progress: bpflock is currently

The Linux lock machine projects 64 Jun 7, 2022
Parca-agent - eBPF based always-on profiler auto-discovering targets in Kubernetes and systemd, zero code changes or restarts needed!

Parca Agent Parca Agent is an always-on sampling profiler that uses eBPF to capture raw profiling data with very low overhead. It observes user-space

Parca 155 Jun 30, 2022
Example how to run eBPF probes without a usermode process using fentry

Pinning eBPF Probes Simple example to demonstrate how to pin kernel function and syscall probes. Overview From my reading of the kernel code, KProbe a

pat_h/to/file 3 Jun 7, 2021
eBPF implementation that runs on top of Windows

eBPF for Windows eBPF is a well-known technology for providing programmability and agility, especially for extending an OS kernel, for use cases such

Microsoft 1.4k Jun 27, 2022
A very basic eBPF Load Balancer in a few lines of C

An eBPF Load Balancer from scratch As seen at eBPF Summit 2021. This is not production ready :-) This uses libbpf as a git submodule. If you clone thi

Liz Rice 136 Jun 16, 2022
skbtracer on ebpf

skbtracer skbtracer 基于 ebpf 技术的 skb 网络包路径追踪利器, 实现代码基于 BCC (required Linux Kernel 4.15+) 使用样例 skbtracer.py # trace

DavadDi 45 Jun 18, 2022
some experiments with ebpf

Learning eBPF and some kernel tracing, probe DNS + TCP connection with portable bpf prog. DevEnv Ubuntu 20.04 Install go Install make, clang, llvm Ins

null 9 Jun 19, 2022
Small utility that leverages eBPF to dump the traffic of a unix domain socket

UnixDump UnixDump is a small eBPF powered utility that can be used to dump unix socket traffic. System requirements This project was developed on a Ub

Guillaume Fournier 5 Dec 1, 2021
The Beginner's Guide to eBPF Programming for Networking

The Beginner's Guide to eBPF Programming for Networking As seen at Cloud Native eBPF Day 2021. Setup Create a container that we can issue curl request

Liz Rice 66 Jun 21, 2022
Dectect syscall hooking using eBPF

BPF-HookDetect Detect Kernel Rootkits hooking syscalls Overview Details To Build To Run Example Test Resources Overview Kernel Rootkits such as Diamor

pat_h/to/file 22 May 28, 2022
A collection of eBPF programs demonstrating bad behavior

Bad BPF A collection of malicious eBPF programs that make use of eBPF's ability to read and write user data in between the usermode program and the ke

pat_h/to/file 207 Jun 20, 2022
A list of network measurement sketch algorithms implemented in eBPF

eBPF Sketches This repository contains a list of the most famous sketches implemented within the eBPF/XDP subsystem. In particular, we have: Count Ske

null 11 May 22, 2022
A Linux Host-based Intrusion Detection System based on eBPF.

eHIDS 介绍 eBPF内核技术实现的HIDS demo. 功能实现: TCP网络数据捕获 UDP网络数据捕获 uprobe方式的DNS信息捕获 进程数据捕获 uprobe方式实现JAVA的RASP命令执行场景事件捕获 eBPF的go框架实现,针对kprobe\uprobe挂载方式,多类型even

CFC4N 233 Jun 19, 2022